[SSL Observatory] certificates for .local names [was: Re: DFN and subordinate CA domain-scoped whitelists]

Phillip Hallam-Baker hallam at gmail.com
Thu Nov 10 09:39:18 PST 2011


On Wed, Nov 9, 2011 at 5:36 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net>wrote:

> I don't actually see any problem with .local domains using SSL. The real
> > problem comes from browsers telling end users that this means a site is
> > 'safe'. So one approach would be to tell browser providers that when SSL
> is
> > used at .local sites that the user should never see a padlock icon or any
> > other security indicator in primary chrome.
>
> Sorry, but I don't think you can have this both ways.  I think you get
> two choices:
>
>  0) You can think cryptographic authentication is important on the LAN;
> in this case you have to acknowledge that signing a .local certificate
> by a global certificate authority really doesn't make any sense without
> somehow forcing it to be scoped to a specific LAN.  i'm not convinced
> that such a link-layer-scoping mechanism has ever been proposed for
> X.509, much less implemented.  It's certainly not present in the
> certificates gathered by the observatory project.
>
> or
>
>  1) you think that cryptographic authentication is *not* important for
> the LAN.  In this case, there's no reason for *anyone* to create .local
> certificates, let alone for a global certificate authority to do so.
>
> It would be nice if someone from a responsible Certificate Authority
> (even one that has made mistakes in the past) would stand up and say
> "this doesn't make sense; good CAs won't do things this way".  It's a
> little disheartening to hear consistent pushback that claims that things
> are not as bad as we fear, that we just need to "trust" more in a system
> that already appears to be failing in many ways, or that practices which
> are pretty clearly a bad idea are actually somehow reasonable.
>

I think you misunderstand my point here. I am arguing that if we want
to make changes that stick here we have to do more than just tell
people 'no soup for you'.


I think that it is pretty clear that there is a need for SSL in .local.
It is also clear that having public CAs issuing unrestricted public certs
is not an ideal solution.

.local names have always been prohibited for EV because of the
issues raised.


What should be done with DV depends on what your view is of
the security DV can provide. I don't think it provides much security at
all because there is no demonstration of accountability. Anyone
can get a domain name. My preference would be no more padlock
icons at all.
-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111110/b3c7d426/attachment.html>


More information about the Observatory mailing list